AnswerstoMicrosoftActiveDirectoryInterviewQuestions

SponsoredLinks
AnswerstoMicrosoftActiveDirectoryInterviewQuestions.Herearethelistofanswersformypreviouspost
'ActiveDirectoryInterviewQuestionsandAnswers'.Ifyouaredirectlylandingtothispage,pleasevisitthepost
withquestions.
1.ActiveDirectoryenablessinglesignontoaccessresourcesonthenetworksuchasdesktops,sharedfiles,
printersetc.ActiveDirectoryprovidesadvancedsecurityfortheentirenetworkandnetworkresources.
ActiveDirectoryismorescalableandflexibleforadministration.
2.FunctionallevelshelpthecoexistenceofActiveDirectoryversionssuchas,WindowsNT,Windows2000
Server,WindowsServer2003andWindowsServer2008.Thefunctionallevelofadomainorforestcontrols
whichadvancedfeaturesareavailableinthedomainorforest.Althoughlowestfunctionallevelshelpto
coexistwithlegacyActiveDirectory,itwilldisablesomeofthenewfeaturesofActiveDirectory.Butifyouare
settingupanewActiveDirectoryenvironmentwithlatestversionofWindowsServerandAD,youcansetto
thehighestfunctionallevel,thusallthenewADfunctionalitywillbeenabled.
3.WindowsServer2003DomainFunctionalLevels:Windows2000mixed(Default),Windows2000native,
WindowsServer2003interim,andWindowsServer2003.
ForestFunctionalLevels:Windows2000(default),WindowsServer2003interim,WindowsServer.
4.WindowsServer2008DomainFunctionalLevels:Windows2000Native,WindowsServer2003,Windows
Server2008,WindowsServer2008R2.
ForestFunctionalLevels:Windows2000,WindowsServer2008,WindowsServer2008R2.
5.ItispossibletotakeabackupcopyofexistingDomainController,andrestoreitinWindowsServermachine
intheremotelocationswithslowerWANlink.
6.ActiveDirectoryisdesignedforServerOperatingSystem,anditcannotbeinstalledonWindows7.
7.WindowsServerOperatingSystem.FreeharddiskspacewithNTFSpartition.Administrator'sprivilegeon
thecomputer.NetworkconnectionwithIPaddress,SubnetMask,GatewayandDNSaddress.ADNSserver,
thatcanbeinstalledalongwithfirstDomainController.WindowsServerintallationCDori386folder.
8.FlexibleSingleMasterOperation(FSMO)roles,manageanaspectofthedomainorforest,toprevent
conflicts,whicharehandledbySingledomaincontrollersindomainorforest.Thetaskswhicharenotsuited
tomultimasterreplication,Thereare5FSMOroles,andSchemaMasterandDomainnamingmasterroles
arehandledbyasingledomaincontrollerinaforest,andPDC,RIDmasterandInfrastructuremasterroles
arehandledbyasingledomaincontrollerineachdomain.
9.Infrastrcturemasterroleisadomainspecificroleanditspurposeistoensurethatcrossdomainobject
referencesarecorrectlyhandled.Forexample,ifyouaddauserfromonedomaintoasecuritygroupfroma
differentdomain,theInfrastructureMastermakessurethisisdoneproperly.Intrastrcuturemasterdoesnot
haveanyfunctionstodoinasingledomainenvironment.IftheDomaincontrollerwithInfrastructuremaster
rolegoesdowninasingledomainenvironemt,therewillbenoimpactatall.Whereas,inacomplex
environmentwithmultipledomains,itmayimactcreationandmodificationofgroupsandgroup
authentication.
10.SchemaMasterroleandDomainNamingMasterrole.

11.PDCEmulator
12.YoushouldbeamemberofEnterpriseAdminsgrouportheDomainAdminsgroup.Alsoyoushouldbe
memberoflocalAdministratorsgroupofthememberserverwhichyouaregoingtopromoteasadditional
DomainController.
13.Usenetdomquery/domain:YourDomainFSMOcommand.ItwilllistalltheFSMOrolehandlingdomain
controllers.
14.No,thereshouldbeonlyoneDomainControllerhandlingRIDmasterroleinaDomain.
15.ThereshouldbeonlyoneDomainControllerhandlingInfrastructuremasterroleinadomain.Henceifyou
havetwodomainsinaforest,youcanconfiguretwoInfrastructuremasters,oneineachdomain.
16.IfPDCemulatorcrashes,therewillbeimmediateimpactontheenvironment.Userauthenticationwillfailas
passwordchangeswontgeteffected,andtherewillbefrequentaccountlockoutissues.Networktime
synchronizationwillbeimpacted.ItwillalsoimpactDFSconsistencyandGrouppolicyreplicationaswell.
17.DomaincontrollersandSites.DomaincontrollersarephysicalcomputerswhichisrunningWindowsServer
operatingsystemandActiveDirectorydatabase.Sitesareanetworksegmentbasedongeographical
locationandwhichcontainsmultipledomaincontrollersineachsite.
18.Domains,OrganizationalUnits,treesandforestsarelogicalcomponentsofActiveDirectory.
19.ActiveDirectorydatabaseisdividedintodifferentpartitionssuchasSchemapartition,Domainpartition,and
Configurationpartition.Apartfromthesepartitions,wecancreateApplicationpartitionbasedonthe
requirement.
20.Addingonegroupasamemberofanothergroupiscalled'groupnesting'.Thiswillhelpforeasy
administrationandreducedreplicationtraffic.
21.Grouptypesarecategorizedbasedonitsnature.Therearetwogrouptypes:SecurityGroupsand
DistributionGroups.Securitygroupsareusedtoapplypermissionstoresourceswhereasdistribution
groupsareusedtocreateExchangeserveremailcommunicationgroups.Groupscopesarecategorized
basedontheusage.Therearethreegrouptypes:DomainLocalGroup,GlobalGroupandUniversalGroup.
22.Domainlocalgroupsaremainlyusedforgrantingaccesstonetworkresources.ADomainlocalgroupcan
containaccountsfromanydomain,globalgroupsfromanydomainanduniversalgroupsfromanydomain.
Forexample,ifyouwanttograntpermissiontoaprinterlocatedatDomainA,to10usersfromDomainB,
thencreateaGlobalgroupinDomainBandaddall10usersintothatGlobalgroup.Then,createaDomain
localgroupatDomainA,andaddGlobalgroupofDomainBtoDomainlocalgroupofDomainA,then,add
DomainlocalgroupofDomainAtotheprinter(ofDomainA)securityACL.
23.ActiveDirectoryisbackedupalongwithSystemStatedata.SystemstatedataincludesLocalregistry,
COM+,Bootfiles,NTDS.DITandSYSVOLfolder.SystemstatecanbebackedupeitherusingMicrosoft's
defaultNTBACKUPtoolorthirdpartytoolssuchasSymantechNetBackup,IBMTivoliStorageManageretc.
24.TherearetwotypesofActiveDirectoryrestores,AuthoritativerestoreandNonAuthoritativerestore.
25.NonAuthoritativemeans,anormalrestoreofasingleDomaincontrollerincasethatparticulardomain
controllerOSorhardwarecrashed.Afternonauthoritativerestorationcompleted,comparesitsdatabase
withpeerdomaincontrollersinthenetworkandacceptsallthedirectorychangesthathavebeenmadesince
thebackup.Thisisdonethroughmultimasterreplication.
Whereas,inAuthoritativerestore,arestoreddatabaseofaDomaincontrollerforcefullyreplicatedtoallthe
otherdomaincontrollers.Authoritativerestoreisperformedtorecoveranactivedirectoryresourceor
object(eg.anOrganizationalUnit)whichaccidentallydeletedanditneedstoberestored.

26.WecanuseNTDSUTILcommandlinetoperformAuthoritativerestoreofActiveDirectory.First,starta
domaincontrollerin'DirectoryServiceRestoreMode'.Then,restoretheSystemStatedataofDomain
controllerusingNTBACKUPtool.Thisisnonauthoritativerestore.Oncenonauthoritativerestoreis
completed,wehavetoperformauthoritativerestoreimmediatelybeforerestartingtheDomainController.
OpencommandpromptandtypeNTDSUTILandenter,thentypeauthoritativerestoreandpressenter,then
typerestoredatabaseandpressenter,clickOKandthenclickYes.Thiswillrestoreallthedatain
authoritativerestoremode.Ifyouwanttorestoreonlyaspecificobjectorsubtree,youcantypebelow
commandinsteadof'restoredatabase'.
restoresubtreeou=OU_Name,dc=Domain_Name,dc=xxx
27.Authoritativerestore,Configurablesettings,Partitionmanagement,SetDSRMPasswordetc.
28.AtombstoneisacontainerobjectfordeleteditemsfromActiveDirectorydatabase,evenifobjectsare
deleted,itwillbekepthiddenintheactivedirectorydatabaseforaspecificperiod.Thisperiodisknownas
tombstonelifetime.Tombstonelifetimeis180daysonWindowsServer2003SP1andlaterversionsof
WindowsServer.
29.GarbagecollectionisaprocessofActiveDirectory.Thisprocessstartsbyremovingtheremainsof
previouslydeletedobjectsfromthedatabase.Theseobjectsareknownastombstones.Then,thegarbage
collectionprocessdeletesunnecessarylogfiles.Andtheprocessstartsadefragmentationthreadtoclaim
additionalfreespace.Thegarbagecollectionprocessisrunningonallthedomaincontrollersinanintervalof
12hours.
30.Inmultimasterreplicationmethod,replicationconflictscanhappen.Objectswithreplicationconflictswillbe
storedinacontainercalled'LostandFound'container.Thiscontaineralsousedtostoreorphaneduser
accountsandotherobjects.
31.LostandFoundcontainercanbeviewedbyenablingadvancedfeaturesfromViewmenuofActiveDirectory
UserandComputersMMC.
32.Yes,itisincluded.
33.[Neversayno]Wehadsetupanadditionaldomainforanewsubsidiaryofthefirm,andIwasamemberof
theteamwhohandledinstallationandconfigurationofdomaincontrollersforthesubdomain.[or]Iwas
supportinganexistingActiveDirectorynetworkenvironmentofthecompany,butIhaveinstalledand
configuredActiveDirectoryintestenvironmentseveraloccasions.
34.NooneinstallsActiveDirectoryinacluster.Thereisnoneedofclusteringadomaincontroller.Because
ActiveDirectoryprovidestotalredundancywithtwoormoreservers.
35.ActiveDirectoryRecyclebinisafeatureofWindowsServer2008AD.Ithelpstorestoreaccidentallydeleted
ActiveDirectoryobjectswithoutusingabackedupADdatabase,rebootingdomaincontrollerorrestarting
anyservices.
36.Readonlydomaincontroller(RODC)isafeatureofWindowsServer2008OperatingSystem.RODCisa
readonlycopyofActiveDirectorydatabaseanditcanbedeployedinaremotebranchofficewherephysical
securitycannotbeguaranteed.RODCprovidesmoreimprovedsecurityandfasterlogontimeforthebranch
office.
37.TofindoutforestanddomainfunctionallevelsinGUImode,openADUC,rightclickonthedomainnameand
takeproperties.Bothdomainandforestfunctionallevelswillbelistedthere.TOfindoutforestanddomain
functionallevels,youcanuseDSQUERYcommand.

38.KCCcanbeexpandedasKnowledgeConsistencyChecker.Itisaprotocolprocecssrunningonalldomain
controllers,anditgeneratesandmaintainsthereplicationtopologyforreplicationwithinsitesandbetween
sites.
39.Wecanusecommandlinetoolssuchasrepadminanddcdiag.GUItoolREPLMONcanalsobeusedfor
replicationmonitoringandtroubleshooting.
40.SYSVOLisafolderexitsoneachdomaincontroller,whichcontainsActvieDirectoryrelatedfilesandfolders.
SYSVOLmainlystoresimportantelementsofGroupPolicyObjectsandscripts,anditisbeingreplicated
amongdomaincontrollersusingFileReplicationService(FRS).
41.Kerberosisanetworkauthenticationprotocol.ActiveDirectoryusesKerberosforuserandresource
authenticationandtrustrelationshipfunctionality.Kerberosusesportnumber88.
42.AllversionsofWindowsServerActiveDirectoryuseKerberos5.
43.Kerberos88,LDAP389,DNS53,SMB445.
44.FQDNcanbeexpandedasFullyQualifiedDomainName.Itisahierarchyofadomainnamesystemwhich
pointstoadeviceinthedomainatitsleftmostend.Forexampleinsystem.
45.Dsaddtoaddanobjecttothedirectory,DsgetdisplaysrequestedpropertiesofanobjectinAD,Dsmove
Usedtomoveoneobjectfromonelocationtoanotherinthedirectory,DSqueryToqueryspecificobjects.
46.AtreeinActiveDirectoryisacollectionofoneormoredomainswhichareinterconnectedandsharingglobal
resourceseachother.Ifatreehasmorethanonedomain,itwillhavecontiguousnamespace.Whenweadd
anewdomaininanexistingtree,itwillbecalledachilddomain.
Aforestisacollectionofoneormoretreeswhichtrusteachotherandsharingacommonschema.Italso
sharescommonconfigurationandglobalcatalog.Whenaforestcontainsmorethanonetree,thetreeswill
notformacontiguousnamespace.
47.ReplicationbetweendomaincontrollersinsideasinglesiteiscalledIntrasitereplication,whereasreplication
betweendomaincontrollerslocatedindifferentsitesiscalledIntersitereplication.Intrasitereplicationwillbe
veryfrequent,whereasIntersitereplicationwillbewithspecificintervalandinacontrolledfashionjustto
preservenetworkbandwidth.
48.Shortcuttrustisamanuallycreatedtransitivetrustwhichisconfiguredtoenablefastandoptimized
authenticationprocess.Forexample,Ifwecreateshortcuttrustbetweentwodomainsofdifferenttrees,they
canquicklyauthenticateeachotherwithouttravelingthroughtheentireparentdomains.shortcuttrustcan
beeitheronewayortwoway.
49.Selectiveauthenticationisgenerallyusedinforesttrustandexternaltrusts.Selectiveauthenticationisa
securitysettingwhichallowsadministratorstograntaccesstosharedresourcesintheirorganizationsforest
toalimitedsetofusersinanotherorganizationsforest.Selectiveauthenticationmethodcandecidewhich
groupsofusersinatrustedforestcanaccesssharedresourcesinthetrustingforest.
50.Trustscanbecategorizedbyitsnature.Therecanbetwowaytrustoronewaytrust,implicitorexplicittrust,
transitiveornontransitivetrust.Trustcanbecategorizedbytypes,suchasparentandchild,treeroottrust,
externaltrust,realmtrustforesttrustandshortcuttrust.
51.ADACActiveDirectoryAdministrativeCenterisanewGUItoolcamewithWindowsServer2008R2,which
providesenhanceddatamanagementexperiencetotheadmin.ADAChelpsadministratorstoperform
commonActiveDirectoryobjectmanagementtaskacrossmultipledomainswiththesameADACinstance.
52.ADSIEDITActiveDirectoryServiceInterfacesEditorisaGUItoolwhichisusedtoperformadvancedAD
objectandattributemanagement.ThisActiveDirectorytoolhelpsustoviewobjectsandattributesthatare

notvisiblethroughnormalActiveDirectoryManagementConsoles.ADSIEDITcanbedownloadedand
installedalongwithWindowsServer2003SupportTools.
53.Thisisduetodomainfunctionallevel.IfdomainfunctionallevelofWindowsServer2003ADisWindows
2000Mixed,UniversalGroupoptionwillbegreyedout.YouneedtoraisedomainfunctionalleveltoWindows
2000nativeorabove.
54.ADMTActiveDirectoryMigrationTool,isatoolwhichisusedformigratingActiveDirectoryobjectsfromone
domaintoanother.ADMTisaneffectivetoolthatsimplifiestheprocessofmigratingusers,computers,and
groupstonewdomains.
55.Whenadomaincontrollerisdisconnectedforaperiodthatislongerthanthetombstonelifetime,oneor
moreobjectsthataredeletedfromActiveDirectoryonallotherdomaincontrollersmayremainonthe
disconnecteddomaincontroller.Suchobjectsarecalledlingeringobjects.Lingeringobjectscanberemoved
fromWindowsServer2003or2008usingREPADMINutility.
56.TheGlobalcatalogisacontainerwhichcontainsasearchablepartialreplicaofallobjectsfromalldomains
oftheforest,andfullreplicaofallobjectsfromthedomainwhereitissituated.Theglobalcatalogisstored
ondomaincontrollersthathavebeendesignatedasglobalcatalogserversandisdistributedthrough
multimasterreplication.Globalcatalogsaremostlyusedinmultidomain,multisiteandcomplexforest
environment,whereasGlobalcatalogdoesnotfunctioninasingledomainforest.
CLICKHEREforanswersforquestions57to100.
Iwouldlovetohearyourfeedbackandsuggestions.Pleasenotifymeifyoufindanyambiguityorerrorsin
theseanswers.